[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IV sizes for AES candidates

>For one, it asks about different modes of operation instead of DES.  I 
>suspect that the same pressures that are pushing NIST to hold a modes 
>of operation workshop in October
>but I think that that question is (almost) orthogonal to the choice of 
>underlying block cipher.  There are a fair number of subtle issues in 
>mode of operation design, and I don't think that the IETF is the right 
>issue to explore ost of them.  (Practical or implementation aspects 
>are, of course, something we're good at.)

If the consensus of the group is that we should stick with the
tried-and-true  CBC mode, that's fine with us, and the next version of the
draft will reflect that.

>The modulus sizes suggested for different key lengths are quite high, 
>and I wonder if they're realistic.  I mean, a 15430 bit modulus for 
>Diffie-Hellman is just not going to happen.  I'm particularly concerned 
>by this sentence:
>   Implementations are encouraged to use the largest key sizes they can
>   when taking into account performance considerations for their partic-
>   ular hardware and software configuration.
>It isn't clear to me that there is any real security gain from using a
>256-bit symmetric key instead of a 128-bit key, and I don't know that 
>we should be encouraging it.  After all, the expense is borne by two 
>systems, not just one.
>		--Steve Bellovin

I guess that statement should be toned down - out of context it does sound
like overkill. 

The only keysize required by the draft is 128 bits; the others are
optional. We are interested in comments from the list - should the other
key sizes be mentioned at all? any other comments on the "IKE Interactions"

By the way, has anyone else implemented any of the AES candidates in IPsec
and/or IKE?

Sheila Frankel

Follow-Ups: References: